b"    Internal Control Review of the\n    Government Purchase Card Program\n\n\n\n\n                              September 18, 2008\n                                  Report No. 440\n\n\n\n\n\xc2\xa0                \xc2\xa0\n\x0c                                                      U N I T E D STATES\n                                    SECURITIES A N D EXCHANGE COMMISSION\n                                                WASHINGTON, D . C . 20549\n\n     OFFICE O F\nINSPECTOR G E N E R A L                             September 18,2008\n\n             To:                 Sharon Sheehan, Associate Executive Director, Office of Administrative\n                                 Services\n\n             From:\n\n             Subject:\n                                 H. David Kotz, Inspector Genera\n                                                                MJ\n                                 Audit of the Government Purchase Card Program, Report No. 440\n\n             This memorandum transmits the Securities and Exchange Commission, Office of\n             Inspector General's (OIG's) final report detailing the results of our audit on the\n             government purchase card program. The audit was conducted by OIG's contractor\n             Kearney & Company, as part of our continuous effort, to assess the management of the\n             Commission's programs and operations.\n\n             The final report contains 17 recommendations, which if implemented, should improve the\n             operations of the government purchase card program. Your written response to the draft\n             report, dated September 15,2008, is included in its entirety in Appendix I1 to the audit\n             report. The Office of Administrative Services concurred with all of the report\n             recommendations and has already initiated corrective action to address many of the\n             deficiencies identified during the audit.\n\n             Should you have any questions regarding this report, please do not hesitate to contact me.\n            'We appreciate the courtesy and cooperation that you and your staff extended to our\n             auditors and contractor during this audit.\n\n\n             Attachment\n\n             cc:\n                          Peter M. Uhlmann, Chief of Staff\n                          Diego Ruiz, Executive Director, Office of the Executive Director\n                          Kristine Chadwick, Associate Executive Director, OFM\n                          Norbert Doyle, Assistant Director, Office of Acquisitions, OAS\n                          George Eckard, Assistant Director, Finance and Administration Office, OIT\n                          Zayra Okrak, Assistant Director, Finance and Accounting Office, OFM\n                          Diane Galvin, Assistant Director, Planning and Budget Office, OFM\n                          Alan Diguardia, Branch Chief, Financial Operations Branch, OFM\n                          Kim Davis, GPC Agency Program Coordinator, OAS\n                          Darlene L. Pryor, Management Analyst, OED\n\n                          Rick Hillman, Managing Director of Financial Markets and Community\n                          Investment, GAO\n\x0c\xc2\xa0\n                    TABLE OF CONTENTS\n                                                 Page #\n\n1.   EXECUTIVE SUMMARY                             1\n\n2.   OBJECTIVES, SCOPE, AND METHODOLOGY            2\n\n3.   BACKGROUND                                    3\n\n4.   RESULTS                                       4\n\nAPPENDIX I \xe2\x80\x93 LIST OF RECOMMENDATIONS\n\nAPPENDIX II \xe2\x80\x93 MANAGEMENT COMMENTS\n\nAPPENDIX III \xe2\x80\x93 OFFICE OF INSPECTOR GENERAL\n               RESPONSE TO MANAGEMENT COMMENTS\n\n\n\n\n                               ii\n\n\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n1.     EXECUTIVE SUMMARY\n\nThe Securities and Exchange Commission\xe2\x80\x99s (SEC\xe2\x80\x99s) Office of Inspector General (OIG)\ncontracted the services of Kearney & Company (Kearney) to conduct an audit of the SEC\xe2\x80\x99s\nGovernment Purchase Card (GPC) program. Effective internal controls over the GPC program\nare necessary to ensure that fraudulent, improper, and abusive purchases do not occur, and if\nsuch purchases do occur, the transactions are promptly detected and appropriate corrective action\nis taken.\n\nThe OIG contracted Kearney to conduct this audit as a follow-up to the OIG\xe2\x80\x99s report, Purchase\nCards, which was issued November 25, 2002. Kearney\xe2\x80\x99s primary audit objectives were to assess\nthe design of the GPC program\xe2\x80\x99s internal controls and operations and to determine whether:\n1) improper or potentially fraudulent purchases were made through the GPC program; and\n2) GPC purchases complied with spending limits, competitive bid requirements, and Property\nManagement program requirements.\n\nKearney found that while the internal controls over the GPC program are generally adequately\ndesigned, based on the results of the test work performed, the controls are not operating\neffectively. Kearney identified several themes in exceptions that were found during testing of\nGPC transactions. The SEC is not in compliance with current documented policies and\nprocedures, and the SEC has not revised its policies and procedures. In the interim, SEC\ndivisions and offices have adopted unapproved, unofficial operating practices. This includes\nvariation in the use of a BankCard Log to track GPC transactions.\n\nThe SEC does not obtain required approvals or retain required documentation for GPC\ntransactions. Kearney\xe2\x80\x99s testing of GPC transactions identified missing transaction approvals,\nlack of required competitive bids, and missing supporting documentation. For example,\napproximately 20 percent of tested transactions did not provide support for receipt of goods or\nservices.\n\nIn addition, Kearney identified two expenditures that were bifurcated to circumvent approval\ndollar thresholds. Kearney also identified deficiencies in the training and certification of users\nprior to the issuance of GPCs, as well as inadequate control over spending limits and untimely\ncancellation of GPCs. Combined, these deficiencies increase the risk of waste and defalcation\nthrough poor training and monitoring of purchasing practices.\n\nAdditionally, Kearney identified certain instances where the implementation of additional\ncontrols is needed. For example, the Office of Administrative Services (OAS) should set up a\nprocess to ensure completion of GPC training and a signed Letter of Delegation before the GPC\nis issued.\n\nAlthough Kearney noted no occurrences of fraud in its test work, the current internal control\nenvironment creates increased risk of waste, fraud, and abuse in the GPC program. This report\nprovides seventeen recommendations, several of which OAS personnel have begun to address.\nOAS concurred with all seventeen of the findings and recommendations. Management\xe2\x80\x99s\nresponse is included in its entirety in Appendix II.\n                                                   \xc2\xa0\n\n\xc2\xa0                                              1\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n2.       OBJECTIVES, SCOPE, AND METHODOLOGY\n\nOIG contracted Kearney to conduct this audit as a follow-up to the OIG\xe2\x80\x99s report, Purchase\nCards, which was issued November 25, 2002. Kearney\xe2\x80\x99s audit objectives were to assess the\ndesign of the GPC program\xe2\x80\x99s internal controls and operations and to determine whether:\n\n     \xe2\x80\xa2   Corrective actions from the prior OIG report were implemented.\n     \xe2\x80\xa2   Improper or potentially fraudulent purchases were made through the GPC program.\n     \xe2\x80\xa2   GPC purchases complied with spending limits, competitive bid requirements, and\n         Property Management program requirements.\n     \xe2\x80\xa2   Only authorized employees made purchases through the GPC program.\n     \xe2\x80\xa2   GPCs were deactivated in a timely manner when cardholders left the SEC.\n\nIn performing the test work for the GPC Program, Kearney considered the following key\ncontrols as prescribed in the SEC Administrative Regulations and the Smartpay Purchasing Card\nProgram procedures:\n\n     \xe2\x80\xa2   Current practices are in compliance with formal policies and procedures.\n     \xe2\x80\xa2   Cardholders verified funds were available before making a purchase.\n     \xe2\x80\xa2   Multiple order transactions had quotes from two or more suppliers to justify the vendor\n         that was used.\n     \xe2\x80\xa2   Purchases were recorded on the BankCard log and supporting documentation was\n         retained.\n     \xe2\x80\xa2   Purchases were tax exempt.\n     \xe2\x80\xa2   Cardholders did not exceed their GPC threshold authority.\n     \xe2\x80\xa2   Receiving reports or receipt confirmations for purchases were included in supporting\n         documentation retained by the cardholder.\n     \xe2\x80\xa2   Partial deliveries were not charged the full amount on the GPC.\n     \xe2\x80\xa2   Amended cardholder statements had the supporting documentation sent to the\n         Transaction Disputes Officer.\n     \xe2\x80\xa2   The cardholder reconciled the monthly statement and submitted it to the Approving\n         Official within two days of receipt.\n     \xe2\x80\xa2   The Approving Official approved transactions for payment.\n     \xe2\x80\xa2   Cardholders did not use the GPC to procure prohibited items.\n     \xe2\x80\xa2   The Associate Executive Director, Office of Information Technology (OIT), approved\n         purchases for Automated Data Processing equipment, supplies, or services. A copy of\n         the Procurement Requisition authorizing the purchase was delivered to the property\n         officer, who is responsible for verifying that the information agrees with the data in\n         TRAQ, the property tracking system.\n     \xe2\x80\xa2   Payments were made within 30 calendar days of receipt of the cardholder statement as\n         required by the Prompt Payment Act (Public Law 97-177).\n\nKearney reviewed prior findings and recommendations from the OIG November 25, 2002 report,\nPurchase Cards and found that the SEC closed the report\xe2\x80\x99s seven recommendations regarding\nthe GPC, as the result of corrective action management took to correct the deficiencies.\n\n                                                   \xc2\xa0\n\n\xc2\xa0                                              2\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nHowever, based on the seventeen recommendations in the report resulting from Kearney\xe2\x80\x99s audit,\nit is evident that the SEC needs to take additional corrective actions.\n\nThe audit\xe2\x80\x99s scope encompassed fiscal year (FY) 2007 and included 4,744 transactions that were\nposted to the GPC from October 1, 2006 to September 30, 2007. The audit focused solely on the\nSEC\xe2\x80\x99s GPC program. Kearney conducted this performance audit in accordance with generally\naccepted government auditing standards. These standards require Kearney to plan and perform\nthe audit in order to obtain sufficient, appropriate evidence to provide a reasonable basis for its\nfindings and conclusions based on the audit objectives. Kearney believes that the evidence\nobtained provides a reasonable basis for its findings and conclusions based on the audit\nobjectives.\n\nKearney interviewed key personnel for the GPC program at SEC headquarters to gain an\nunderstanding of GPC program policy and procedures in place. Personnel interviewed included:\nthe Agency Program Coordinator (APC), GPC holders, Approving Officials, and budget\nanalysts. Kearney performed tests of controls in order to ensure that they were operating as\nintended. Kearney used IDEA\xc2\xae \xe2\x80\x93 Data Analysis Software to compute a sample size at a 95\npercent confidence level. Kearney selected a statistical sample of 76 GPC transactions totaling\n$491,465 from the universe of 4,744 transactions with an absolute value of $9,043,394 posted to\nthe GPC from October 1, 2006 to September 30, 2007, and including all SEC offices.\nConsequently, SEC\xe2\x80\x99s headquarters and its regional offices were included in Kearney\xe2\x80\x99s testing\nprocedures. Cardholders who had a GPC transaction selected in the sample of 76 GPC\ntransactions were selected for cardholder testing, which was performed for 27 of the SEC\xe2\x80\x99s 96\ncardholders. SEC\xe2\x80\x99s operating procedures were first compared to the agency\xe2\x80\x99s formal internal\npolicies and procedures, and then were evaluated against applicable laws, regulations, and best\npractices prescribed by internal control guidance and issued by the Committee of Sponsoring\nOrganizations (COSO) and the Government Accountability Office (GAO). Examples of the\ninternal control guidance include COSO\xe2\x80\x99s Internal Control \xe2\x80\x93 Integrated Framework and GAO\xe2\x80\x99s\nStandards for Internal Control in the Federal Government (Green Book).\n\n3.     BACKGROUND\n\nThe SEC selected Mellon Bank to serve as the vendor for the GPC program. The SEC has 96\nemployees located at its headquarters and regional offices that are approved GPC holders who\nmake purchases on behalf of the agency. The GPC holders primarily make small purchases for\nthe agency for goods and services up to $3,000. The OAS issued guidance for the GPC program,\nthe SECR 10-6, Smartpay Purchasing Card Program, on June 30, 1999.\n\nCardholders are responsible for the GPCs and are directed to use them as prescribed in the SECR\n10-6, Smartpay Purchasing Card Program. All cardholders receive a Letter of Delegation of\nAuthority sanctioning their GPC authority and spending limits, as approved by the Associate\nExecutive Director of OAS. According to the SECR 10-6, Smartpay Purchasing Card Program,\n\xe2\x80\x9cTraining for cardholders and approving officials will be given by the APC. The objective of the\ntraining is to acquaint them with the guidelines in this regulation.\xe2\x80\x9d To satisfy this training\nrequirement, cardholders must complete the General Services Administration\xe2\x80\x99s (GSA) web-\nbased training before they can be issued a GPC.\n                                                  \xc2\xa0\n\n\xc2\xa0                                             3\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nThe OAS appoints an APC to oversee the GPC program. The APC\xe2\x80\x99s duties include, but are not\nlimited to serving as liaison to Mellon Bank, instructing cardholders and Approving Officials,\nconducting high-level reviews of purchases, following up on disputed charges and billing errors,\netc. Approving Officials serve to ensure the GPC program is administered in compliance with\ngoverning GPC regulations. Approving Officials complete a detailed review of transactions\nprior to approving the cardholders\xe2\x80\x99 statements for payment. OIT must approve all IT purchases\n\xe2\x80\x93 only cardholders in OIT are authorized to make IT purchases.\n\nEach month, Mellon Bank sends a statement to all cardholders. The statement identifies all the\npurchases made on the GPC by transaction. In addition, a consolidated statement is sent to the\nOffice of Financial Management (OFM). The consolidated statement is comprised of all GPC\npurchases and is listed by the name of the cardholder. The consolidated statement is used to\nensure that approved statements are received and the total amount due is remitted to Mellon\nBank. Within two days of receipt, cardholders are required to reconcile and sign the individual\nstatements, and then forward it to the Approving Official, who certifies the statement by signing\nit. OFM only pays statements that both the cardholders and the Approving Officials have signed.\n\n4.     RESULTS\n\nA detailed discussion of Kearney\xe2\x80\x99s findings follows:\n\nOutdated Purchase Card Regulation\n\nThe SECR 10-6, Smartpay Purchasing Card Program, was issued on June 30, 1999 and needs to\nbe revised. The regulation is outdated and consists of procedures that are different from those\ncurrently followed by GPC program officials and cardholders. Thus, GPC program officials and\ncardholders are currently in violation of this SEC regulation in a number of areas. For example,\ncardholders are currently using a small purchase threshold of $3,000 whereas the SECR 10-6,\nSmartpay Purchasing Card Program, establishes a threshold of $2,500.\n\nIn addition, several of the forms detailed in the SECR 10-6, Smartpay Purchasing Card\nProgram, are obsolete. For example, only one department still uses the SEC Form 1710,\nProcurement Requisition.\n\nRecommendation 1\n\nThe Office of Administrative Services should revise the SECR 10-6 Smartpay Purchasing Card\nProgram to reflect relevant procedures that Government Purchase Card program officials and\ncardholders should follow. Additionally, the SECR 10-6, Smartpay Purchasing Card Program,\nshould be revised periodically as procedural or policy changes occur.\n\nBankCard Log Not Used\n\nKearney tested 76 GPC transactions and found that for 44 of the 76 GPC transactions tested, a\nBankCard log was not provided by the cardholder. At a minimum, the BankCard log should\ncontain the vendor\xe2\x80\x99s name, a brief description of the purchase, the amount spent, and the date of\n                                                  \xc2\xa0\n\n\xc2\xa0                                             4\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\npurchase. BankCard logs are required to ensure that all GPC purchases are properly accounted\nfor and comply with current SEC policy. The SECR 10-6, Smartpay Purchasing Card Program,\nSection B, Paragraph 9.c states, \xe2\x80\x9cWhen making a credit card purchase, the cardholder must enter\nthe transaction on the BankCard order log, and retain in a file any documentation associated with\nthe acquisition.\xe2\x80\x9d\n\nOAS officials stated that the SECR 10-6, Smartpay Purchasing Card Program, is outdated and\nthat current practice no longer requires cardholders to use BankCard logs. However, Kearney\nidentified several cardholders that have continued to maintain a BankCard log, and it is an\neffective internal control mechanism. Without the continued use of a BankCard log, individual\nGPC users will not be able to readily verify transactions that appear on GPC statements.\n\nRecommendation 2\n\nThe Office of Administrative Services should require that Government Purchase Cardholders use\na BankCard log (manual or automated) each month to verify purchases.\n\nDocumentation Not Available\n\nThe audit found that cardholders did not retain required documentation to support GPC\ntransactions. Specifically, Kearney found that:\n\n    \xe2\x80\xa2   For 15 of 76 GPC transactions tested, no evidence of receipt of goods or services was\n        available.\n    \xe2\x80\xa2   For 3 of 76 GPC transactions tested, no Mellon Bank GPC Statement was available.\n    \xe2\x80\xa2   For 10 of 76 GPC transactions tested, no invoice was available.\n    \xe2\x80\xa2   For 11 of 76 GPC transactions tested, no availability of funds confirmation was\n        available.\n\nIn addition, the audit found that cardholders did not always retain the Letter of Delegation, which\ndocuments their spending and usage limits, or the GSA training certificate that documents that\nthe cardholder has completed the required training. Specifically, Kearney found that:\n\n    \xe2\x80\xa2   For 5 of 27 cardholders tested, no Letter of Delegation was provided.\n    \xe2\x80\xa2   For 1 of 27 cardholders tested, no GSA web training certificate was provided.\n\nSEC GPC cardholders did not have files that contained all the required documentation. The\nGAO\xe2\x80\x99s Government Auditing Standards, Chapter 1, Section 1.02, states, \xe2\x80\x9cGovernment managers\nare responsible for providing reliable, useful, and timely information for accountability of\ngovernment programs and their operations.\xe2\x80\x9d Further, the SECR 10-6, Smartpay Purchasing\nCard Program, Section B, Paragraph 9.c states, \xe2\x80\x9cWhen making a credit card purchase, the\ncardholder must enter the transaction on the BankCard order log, and retain in a file any\ndocumentation associated with the acquisition.\xe2\x80\x9d Because documentation was not retained,\npurchases were not adequately supported and the cardholders\xe2\x80\x99 delegated authority to use the\nGPC was not evidenced.\n\n                                                  \xc2\xa0\n\n\xc2\xa0                                             5\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n\nRecommendation 3\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, and require cardholders to retain in their files: purchase receipts, Mellon Bank\nGovernment Purchase Card Statements, invoices, confirmations for availability of funds, Letters\nof Delegation, training certificates, etc. The documentation should be readily available for\nreview and stored in a manner that will allow an individual other than the cardholder to find a\nspecific transaction, if necessary.\n\nApprovals Not Obtained\n\nThe audit found that cardholders did not obtain approval of the monthly GPC statement from the\nassigned Approving Official. The SECR 10-6, Smartpay Purchasing Card Program, Section A,\nParagraph 2.f states, \xe2\x80\x9cWhen reconciled and validated by the cardholder, the statement is\nforwarded to the cardholder\xe2\x80\x99s approving official for signature.\xe2\x80\x9d Kearney found that the\nApproving Official did not sign the GPC statement for 4 of 76 transactions that were tested.\nHowever, in those cases, Mellon Bank was paid even though verifiable authorization for\npayment from the assigned Approving Official was not obtained.\n\nRecommendation 4\n\nThe Office of Administrative Services Agency Program Coordinator should periodically issue a\nreminder to cardholders that monthly Government Purchase Card statements must be signed by\nthe assigned Approving Official prior to payment and that without the signed statements,\npayment should not be made.\n\nQuotes Not Obtained\n\nThe SECR 10-6, Smartpay Purchasing Card Program, Section A, Subsection 3, Responsibilities,\nstates, \xe2\x80\x9cPurchases in excess of $2,500 are treated subject to the requirements in 48 CFR Part 13,\xe2\x80\x9d\nand the cardholder \xe2\x80\x9cEnsures that when a purchase exceeds $2,500 with only one source or\nspecific make or model, that an SEC Form 2180, Notation to the File for Non-Competitive\nAction, is prepared.\xe2\x80\x9d In September 2006, the Federal Acquisition Regulation, Part 13 was\nrevised and the micro-purchase threshold was increased from $2,500 to $3,000. The SEC\xe2\x80\x99s GPC\npractice during Kearney\xe2\x80\x99s audit allowed cardholders to use $3,000 as the micro-purchase\nthreshold limit. Therefore, the SECR 10-6, Smartpay Purchasing Card Program, is outdated\nand needs to be revised to reflect the Federal Acquisition Regulation $3,000 micro-purchase\nthreshold limit.\n\nThe audit found that cardholders made GPC purchases without the adequate price verification\nand authorization of procurement method (i.e., sole source). Of the 40 transactions (all of which\nwere over the $3,000 threshold) that were tested, 5 did not have evidence of a quote from the\nvendor or the sole source justification that is required for transactions over $3,000. Without\nobtaining quotes or justifying the use of a sole source, the SEC may not receive the best value for\nthe goods and services it procures. Details of the 5 transactions are provided in the table below:\n                                                  \xc2\xa0\n\n\xc2\xa0                                             6\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n\n                            Table 1. Transactions Without Vendor or\n                                     Sole Source Justification\n                              Date of Transaction         Amount\n                             October 13, 2006             $10,000.00\n                             October 20, 2006               $5,388.63\n                             January 15, 2007             $ 3,327.10\n                             March 8, 2007                $10,120.00\n                             July 20, 2007                $19,250.00\n                             Source: Kearney & Company Generated\n\nRecommendation 5\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, to ensure compliance with the Federal Acquisition Regulation pertaining to vendor\nquotes and the $3,000 micro-purchase threshold limit.\n\nRecommendation 6\n\nThe Program Coordinator should periodically issue a reminder to cardholders that prior to\nmaking a purchase over $3,000, they must obtain and retain evidence of quotes or a sole source\njustification.\n\nSplit Transactions\n\nCardholders used the GPC to make multiple payments to the same vendor, for the same type of\nitems purchased, on the same day. The SECR 10-6, Smartpay Purchasing Card Program,\nSection A, Paragraph 2.p states, \xe2\x80\x9cNeither cardholders nor merchants are allowed to split a single\npurchase into smaller dollar transactions in order to avoid exceeding the single purchase limit.\xe2\x80\x9d\n\nOf the 76 transactions tested, 2 were split purchases. In these situations, the purchases were\ndivided into multiple transactions. For example, one of the split purchase transactions involved a\ncopier maintenance agreement that was paid for each machine, each month, and totaled\n$5,388.63 from October 17, 2006 to October 25, 2006. The second split purchase was for\nseminars totaling $10,120, which was paid for with four $2,530 transactions. By splitting the\npurchases and ignoring the purchase limits, the potential risk of improper purchases increases.\n\nRecommendation 7\n\nThe Office of Administrative Services should issue guidance to cardholders describing what\nconstitutes a split purchase, warning of the prohibition against splitting purchases and specifying\nthe penalty for making a split purchase.\n\nInformation Technology Approval Not Obtained\n\nThe audit found that IT purchases were made without OIT\xe2\x80\x99s prior approval. The sample of 76\nGPC transactions selected contained 34 transactions for IT-related purchases. Kearney tested\n                                                    \xc2\xa0\n\n\xc2\xa0                                               7\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nthese 34 transactions and found OIT did not approve 2 of the IT-related purchases. Without\nobtaining OIT approval, cardholders can potentially make purchases that are incompatible with\nSEC\xe2\x80\x99s current IT infrastructure.\n\nThe SECR 10-6, Smartpay Purchasing Card Program, Section B, Smartpay Purchasing Card\nProgram, Paragraph 8.a states, \xe2\x80\x9cThe purchase of ADPE [automatic data processing equipment]\nsupplies and services must be approved by the Associate Executive Director, Office of\nInformation Technology (OIT).\xe2\x80\x9d Since this position no longer exists, the SEC\xe2\x80\x99s current practice\nis to have IT purchases made with the GPC approved by either the Assistant Director, Finance\nand Administration Office or the Branch Chief, Budget and Acquisitions Branch within OIT\ndepending on the dollar amount of the purchase and other factors. For 2 of the 34 IT-related\npurchases we reviewed, we found no evidence of OIT approval by these individuals or offices on\nthe SEC Form 1710, OIT Procurement Requisition, or supporting documents maintained by the\ncardholders.\n\nRecommendation 8\n\nThe Office of Administrative Services, in consultation with the Office of Information\nTechnology, should revise SECR 10-6, Smartpay Purchasing Card Program, to reflect current\npractices with regard to approval of information technology purchases made with the\nGovernment Purchase Card. The regulation should also emphasize the importance of\ninformation technology-related purchases being approved by the Office of Information\nTechnology prior to the purchase and clarify the types of purchases that require Office of\nInformation Technology approval. This will help ensure that Information Technology purchases\nare not made until all approvals are obtained.\n\nAvailability of Funds Not Obtained Prior to Purchase\n\nThe audit found that cardholders made purchases on the GPCs prior to obtaining confirmation\nthat funds were available to be obligated. Of the 76 transactions tested, Kearney found 9\ntransactions where the confirmation of availability of funds was not made before the purchase\noccurred. While funding for the 9 transactions was ultimately available, cardholders are not\nauthorized to make purchases without ensuring funding is available. The SECR 10-6, Smartpay\nPurchasing Card Program, Section A, Paragraph 3.d states, \xe2\x80\x9cThe Cardholder: (1) Ensures funds\nare available before making credit card purchases.\xe2\x80\x9d\n\nRecommendation 9\n\nThe Office of Administrative Services Agency Program Coordinator should issue a reminder to\ncardholders that Government Purchase Card transactions must have funds obligated prior to\nmaking a purchase.\n\nIncorrect Fiscal Year Funds Used\n\nOf the 76 GPC transactions Kearney tested, ten were committed in FY 2006 and paid in FY\n2007. However, Kearney found that two of the ten transactions were paid with FY 2007 funds,\n                                                \xc2\xa0\n\n\xc2\xa0                                           8\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nwhen FY 2006 funds should have been used. In those cases, FY 2006 funds should have been\nused because the purchases originated in FY 2006. Cardholders had to identify which\ncommitments were open at the end of FY 2006 and then inform OFM so that the manual\nprocesses required by the Momentum system to reserve funds into the next FY could be\ncompleted. If the manual process was not done, then funds would not be reserved and current\nyear funds would be required for payment.\n\nRecommendation 10\n\nThe Office of Administrative Services Agency Program Coordinator should consult with the\nOffice of Financial Management to verify that obligations that are open at the end of the fiscal\nyear are rolled forward into the next fiscal year.\n\nLate Payment\n\nFor GPC purchases tested, 12 of 76 were paid over 30 days after receipt of the Mellon Bank\nGPC statement. Per 5 CFR 1315.10, Late Payment Interest Penalties, \xe2\x80\x9cInterest will be\ncalculated from the day after the payment due date through the payment date at the interest rate\nin effect on the day after the payment due date\xe2\x80\xa6.\xe2\x80\x9d The root cause of the late payments could not\nbe determined from the GPC transaction testing because no systemic trends were identified. Due\nto the late payments, the SEC paid $2,655 in interest to Mellon Bank, thus incurring unnecessary\ncosts.\n\nRecommendation 11\n\nThe Office of Administrative Services Agency Program Coordinator and the Office of Financial\nManagement should work together to identify underlying root causes, thereby ensuring payments\nare made to Mellon Bank within 30 days after receipt of the Mellon Bank Government Purchase\nCard statement.\n\nTraining Not Provided\n\nThe audit determined that the APC does not offer formal training to cardholders as directed by\nthe SECR 10-6, Smartpay Purchasing Card Program. Cardholders only take training provided\nonline by GSA. Upon completion of the training, the cardholder forwards the certification to the\nAPC. However, based on a comparison of the GSA online training to the SECR 10-6, Smartpay\nPurchasing Card Program, the guidance contains numerous policies that are not covered in the\nGSA on-line training such as:\n\n    \xe2\x80\xa2   Authorized usage limits and Merchant Category Code access.\n    \xe2\x80\xa2   Review of the card statement and submission to the Approving Official.\n    \xe2\x80\xa2   What to do in case of a partial delivery.\n    \xe2\x80\xa2   What to do for a billing error or a dispute.\n    \xe2\x80\xa2   IT approval requirement.\n    \xe2\x80\xa2   Policies upon separation.\n\n                                                  \xc2\xa0\n\n\xc2\xa0                                             9\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nThe APC occasionally sends cardholders an email to remind them of GPC policy. However, the\nAPC\xe2\x80\x99s e-mail distribution list does not include all cardholders.\n\nThe SECR 10-6, Smartpay Purchasing Card Program, Section B, Smartpay Purchasing Card\nProgram, Paragraph 18, Training, Subsection a, states that, \xe2\x80\x9cTraining for cardholders and\napproving officials will be given by the APC. The objective of the training is to acquaint them\nwith the guidelines in this regulation.\xe2\x80\x9d The lack of proper training can lead to misunderstanding\nand misuse of the GPC.\n\nRecommendation 12\n\nThe Office of Administrative Services should develop a formal Securities and Exchange\nCommission Government Purchase Card training course and set up a plan to rollout the training\nto all cardholders in a timely manner.\n\nRecommendation 13\n\nThe Office of Administrative Services Agency Program Coordinator should update the email\ndistribution list to ensure that Government Purchase Card email messages are sent to all\ncardholders.\n\nUntimely Certification\n\nMost cardholders received their GPC and purchase delegation authority prior to completing the\nappropriate GPC training and signing the Letter of Delegation. Without taking GPC-related\ntraining and signing a Letter of Delegation, cardholders will not be aware of the GPC limitations\nand governing regulations. Thus, the risk of GPC misuse and/or abuse increases. Specifically,\nKearney found that:\n\n    \xe2\x80\xa2   Out of 27 cardholders tested, 20 completed the GSA web training after being issued the\n        GPC.\n    \xe2\x80\xa2   Out of 27 cardholders tested, 24 signed their Letter of Delegation after being issued the\n        GPC.\n\nThe SECR 10-6, Smartpay Purchasing Card Program, Section A, Paragraph 3.b (3) states that\nthe APC, \xe2\x80\x9cProvides information and conducts training to approving officials, cardholders, and\nothers who may become involved in the SmartPay Purchasing Card Program.\xe2\x80\x9d\n\nThe SECR 10-6, Smartpay Purchasing Card Program, Section A, Paragraph 2.g\nstates, \xe2\x80\x9cDelegation of Authority. A memorandum issued by the Associate Executive Director,\nOAPM, [now OAS] that delegates the SEC employee as an authorized cardholder. This\ndelegation of authority specifies:\n\n    (1) The spending and usage limitations unique to that cardholder; and\n    (2) The merchant category codes (MCC) the cardholder is permitted to use.\xe2\x80\x9d\n\n                                                  \xc2\xa0\n\n\xc2\xa0                                            10\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nHowever, currently no one has the responsibility to verify that GPC training was completed and\nthe Letter of Delegation was signed before the GPC is issued to the cardholder.\n\nRecommendation 14\n\nThe Office of Administrative Services should set up a process to ensure completion of\nGovernment Purchase Card training and a signed Letter of Delegation before the Government\nPurchase Card is issued to the cardholder.\n\nInadequate Control over Limits\n\nThe audit found that the OAS has not established procedures to require the APC to review actual\nGPC limits per the Mellon Bank against limits set forth in the Letter of Delegation. Kearney\nfound that 5 of 27 cardholders had transaction limits that did not agree to the limits set forth in\ntheir Letter of Delegation. Improper limits create an environment where the SEC is more\nsusceptible to improper use of the GPC due to increased exposure.\n\nRecommendation 15\n\nThe Office of Administrative Services should develop procedures to review and ensure that\ncardholder limits agree to the Letter of Delegation and the Government Purchase Card provider\non a regular basis.\n\nCancellation of the Government Purchase Card\n\nCardholders that leave SEC employment are required to surrender the GPC to either the\nApproving Official or an OFM representative. The cardholders leaving the SEC must complete\nSEC Form 1455 (4-07), Employee Clearance Record, upon separation. However, it is not\nrequired to be filed until the day the person separates the SEC. This gives the employee the use\nof the GPC until their last day of service. The practice allows for the increased risk of misuse of\nthe GPC, because the cardholder can make unauthorized purchases that will not be detected or\nverified by the Authorizing Official until after the person no longer works for the SEC.\n\nRecommendation 16\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, and require supervisors or the Approving Official to notify the Agency Program\nCoordinator that a cardholder is leaving the Securities and Exchange Commission. The Agency\nProgram Coordinator should immediately suspend the cardholder\xe2\x80\x99s Government Purchase Card.\n\nAPC Segregation of Duties\n\nFrom February 2006 to February 2007, the APC had access to a GPC and performed oversight\nfunctions for the GPC program, creating an environment that allows for easier misuse of the\nGPC. A fundamental element of internal control is the segregation of certain key duties so that\n\n                                                  \xc2\xa0\n\n\xc2\xa0                                            11\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nan individual does not have the authority to approve purchase card transactions and serve as a\ncardholder at the same time.\n\nRecommendation 17\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, to ensure that the Agency Program Coordinator does not have direct access to a\nGovernment Purchase Card.\n\n\n\n\n                                                 \xc2\xa0\n\n\xc2\xa0                                           12\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n                                                                                    Appendix I\n\n                         List of Recommendations\n\nRecommendation 1\n\nThe Office of Administrative Services should revise the SECR 10-6 Smartpay Purchasing Card\nProgram to reflect relevant procedures that Government Purchase Card program officials and\ncardholders should follow. Additionally, the SECR 10-6, Smartpay Purchasing Card Program,\nshould be revised periodically as procedural or policy changes occur.\n\nRecommendation 2\n\nThe Office of Administrative Services should require that Government Purchase Cardholders use\na BankCard log (manual or automated) each month to verify purchases.\n\nRecommendation 3\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, and require cardholders to retain in their files: purchase receipts, Mellon Bank\nGovernment Purchase Card Statements, invoices, confirmations for availability of funds, Letters\nof Delegation, training certificates, etc. The documentation should be readily available for\nreview and stored in a manner that will allow an individual other than the cardholder to find a\nspecific transaction, if necessary.\n\nRecommendation 4\n\nThe Office of Administrative Services Agency Program Coordinator should periodically issue a\nreminder to cardholders that monthly Government Purchase Card statements must be signed by\nthe assigned Approving Official prior to payment and that without the signed statements,\npayment should not be made.\n\nRecommendation 5\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, to ensure compliance with the Federal Acquisition Regulation pertaining to vendor\nquotes and the $3,000 micro-purchase threshold limit.\n\nRecommendation 6\n\nThe Program Coordinator should periodically issue a reminder to cardholders that prior to\nmaking a purchase over $3,000, they must obtain and retain evidence of quotes or a sole source\njustification.\n\n                                                \xc2\xa0\n\n\xc2\xa0                                          13\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nRecommendation 7\n\nThe Office of Administrative Services should issue guidance to cardholders describing what\nconstitutes a split purchase, warning of the prohibition against splitting purchases and specifying\nthe penalty for making a split purchase.\n\nRecommendation 8\n\nThe Office of Administrative Services, in consultation with the Office of Information\nTechnology, should revise SECR 10-6, Smartpay Purchasing Card Program, to reflect current\npractices with regard to approval of information technology purchases made with the\nGovernment Purchase Card. The regulation should also emphasize the importance of\ninformation technology-related purchases being approved by the Office of Information\nTechnology prior to the purchase and clarify the types of purchases that require Office of\nInformation Technology approval. This will help ensure that Information Technology purchases\nare not made until all approvals are obtained.\n\nRecommendation 9\n\nThe Office of Administrative Services Agency Program Coordinator should issue a reminder to\ncardholders that Government Purchase Card transactions must have funds obligated prior to\nmaking a purchase.\n\nRecommendation 10\n\nThe Office of Administrative Services Agency Program Coordinator should consult with the\nOffice of Financial Management to verify that obligations that are open at the end of the fiscal\nyear are rolled forward into the next fiscal year.\n\nRecommendation 11\n\nThe Office of Administrative Services Agency Program Coordinator and the Office of Financial\nManagement should work together to identify underlying root causes, thereby ensuring payments\nare made to Mellon Bank within 30 days after receipt of the Mellon Bank Government Purchase\nCard statement.\n\nRecommendation 12\n\nThe Office of Administrative Services should develop a formal Securities and Exchange\nCommission Government Purchase Card training course and set up a plan to rollout the training\nto all cardholders in a timely manner.\n\n\n\n\n                                                  \xc2\xa0\n\n\xc2\xa0                                            14\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nRecommendation 13\n\nThe Office of Administrative Services Agency Program Coordinator should update the email\ndistribution list to ensure that Government Purchase Card email messages are sent to all\ncardholders.\n\nRecommendation 14\n\nThe Office of Administrative Services should set up a process to ensure completion of\nGovernment Purchase Card training and a signed Letter of Delegation before the Government\nPurchase Card is issued to the cardholder.\n\nRecommendation 15\n\nThe Office of Administrative Services should develop procedures to review and ensure that\ncardholder limits agree to the Letter of Delegation and the Government Purchase Card provider\non a regular basis.\n\nRecommendation 16\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, and require supervisors or the Approving Official to notify the Agency Program\nCoordinator that a cardholder is leaving the Securities and Exchange Commission. The Agency\nProgram Coordinator should immediately suspend the cardholder\xe2\x80\x99s Government Purchase Card.\n\nRecommendation 17\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, to ensure that the Agency Program Coordinator does not have direct access to a\nGovernment Purchase Card.\n\n\n\n\n                                                \xc2\xa0\n\n\xc2\xa0                                          15\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n                                                                                           Appendix II\n\n                            Management Comments\n\n\n\n\n    Recommendation 1\n\nThe Office of Administrative Services (OAS) should revise the SECR 10-6 Smartpay Purchasing Card\nProgram to reflect relevant procedures that Government Purchase Card program officials and cardholders\nshould follow. Additionally, the SECR 10-6, Smartpay Purchasing Card Program, should be revised\nperiodically as procedural or policy changes occur.\n\nResponse\n\nConcur. The OAS is drafting a new regulation to replace SECR 10-6 with an estimated release date of\nMarch 2009.\n\nRecommendation 2\n\nThe Office of Administrative Services should require that Government Purchase Cardholders use a\nBankcard log (manual or automated) each month to verify purchases.\n\nResponse\n\nConcur.\n\n     \xe2\x80\xa2   On August 7th, the APC notified all cardholders to begin using a GPC log and provided a sample\n         log for consistency (Attachment A).\n\n     \xe2\x80\xa2   The APC will verify use of the GPC log during monthly oversight reviews.\n                                                     \xc2\xa0\n\n\xc2\xa0                                               16\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nRecommend closure of this finding.\n\nRecommendation 3\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, and require cardholders to retain in-their files: purchase receipts, Mellon Bank Government\nPurchase Card Statements, invoices, confirmations for availability of funds, Letters of Delegation,\ntraining certificates, etc. The documentation should be readily available for review and stored in a manner\nthat will allow an individual other than the cardholder to find a specific transaction, if necessary.\n\nResponse\n\nConcur with comments.\n\n    \xe2\x80\xa2   The Office of Financial Management\xe2\x80\x99s (OFM) financial system houses all\n        commitment/obligation history and is readily accessible.\n\n    \xe2\x80\xa2   The APC notified all GPC holders on August 7th to maintain a log and keep all GPC records\n        (receipts, invoices, CQs, etc) in a safe place for a period of 3 years\n        (Attachment A).\n\n    \xe2\x80\xa2   Effective August 14th, the APC randomly pulls files on a monthly basis to ensure compliance\n        (Attachments B&C).\n\n    \xe2\x80\xa2   The APC maintains electronic copies of all cardholder and approving official training and\n        delegations on the J:Drive.\n\n    \xe2\x80\xa2   OAS has contracted for an electronic archive system that will be in place on or about March\n        2009. The system will archive and allow for easy retrieval of GPC documentation starting from\n        the initial request, monthly statements, and backup documentation through to the final\n        statement/cancellation.\n\nRecommendation 4\n\nThe Office of Administrative Services Agency Program Coordinator should periodically issue a reminder\nto cardholders that monthly Government Purchase Card statements must be signed by the assigned\nApproving Official prior to payment and that without the signed statements, payment should not be made.\n\nResponse\n\nConcur.\n   \xe2\x80\xa2 The APC issues a reminder monthly to all cardholders that the AO must sign their statement\n      before sending it to OFM (Attachment D).\n\n    \xe2\x80\xa2   The cardholder Delegation Letter states that the AO must sign all statements (Attachment E).\n\n    \xe2\x80\xa2   Both the AO and the cardholder sign the Acknowledgement and Acceptance memorandum before\n        the APC orders a card (Attachment F).\n\n\n                                                      \xc2\xa0\n\n\xc2\xa0                                                17\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n    \xe2\x80\xa2   The APC gives OFM a current list of cardholders identifying their approving officials\n        (Attachment G).\n\nRecommend closure of this finding.\n\nRecommendation 5\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, to ensure compliance with the Federal Acquisition Regulation pertaining to vendor quotes and\nthe $3,000 micro-purchase threshold limit.\n\nResponse\n\nConcur. The OAS is drafting a new regulation to replace SECR 10-6 with an estimated release date of\nMarch 2009.\n\nRecommendation 6\n\nThe Program Coordinator should periodically issue a reminder to cardholders that prior to making a\npurchase over $3,000; they must obtain and retain evidence of quotes or a sole source justification.\n\nResponse\n\nConcur. The APC will continue to send periodic reminders to cardholders to obtain and retain evidence\nof quotes or a sole source justification in their files for purchases over $3,000 (Attachment H).\n\nRecommend closure of this finding.\n\nRecommendation 7\n\nThe Office of Administrative Services should issue guidance to cardholders describing what constitutes a\nsplit purchase and warning of the prohibition against splitting purchases and specifying the penalty for\nmaking a split purchase.\n\nResponse\n\nConcur.\n\n    \xe2\x80\xa2   The APC has issued guidance and warnings concerning misuse of the GPC to all cardholders\n        (Attachment J).\n\n    \xe2\x80\xa2   The APC monitors GPC purchases in pvsnet, which is the Mellon Bank\xe2\x80\x99s automated purchase\n        card system, and addresses with the appropriate cardholder all purchases that appear to be split.\n\nRecommend closure of this finding.\n\n\n\n\n                                                      \xc2\xa0\n\n\xc2\xa0                                                18\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nRecommendation 8\n\nOAS in consultation with the Office of Information Technology should revise SECR 10-6, Smartpay\nPurchasing Card Program, to reflect current practices with regard to approval of IT purchases made with\nthe Government Purchase Card. The regulation should also emphasize the importance of IT-related\npurchases being approved by the Office of Information Technology prior to the purchase and clarify the\ntypes of purchases that require OIT approval. This will help ensure that Information Technology\npurchases are not made until all approvals are obtained.\n\nResponse\n\nConcur. The OAS is drafting a new regulation to replace SECR 10-6 with an estimated release date of\nMarch 2009. The new regulation will address policies regarding the use of the GPC to purchase IT related\nitems.\n\nRecommendation 9\n\nThe Office of Administrative Services Agency Program Coordinator should issue a reminder to\ncardholders that Government Purchase Card transactions must have funds obligated prior to making a\npurchase.\n\nResponse\n\nConcur. The APC has issued a reminder to cardholders (Attachment K).\n\nRecommend closure of this finding.\n\nRecommendation 10\n\nThe Office of Administrative Services Agency Program Coordinator should consult with the Office of\nFinancial Management to verify that obligations that are open at the end of the fiscal year are rolled\nforward into the next fiscal year.\n\nResponse\n\nConcur.\n\n    \xe2\x80\xa2   The OFM and the APC have consulted on ways to verify open commitments at the end of the\n        fiscal year.\n\n    \xe2\x80\xa2   OFM plans to re-institute the process whereby funds are obligated rather than committed prior to\n        using the GPC. It is planned to re-institute the process to coincide with the transition of the GPC\n        Program to JPMorgan Bank in November 2008.\n\nRecommendation 11\n\nThe Office of Administrative Services Agency Program Coordinator and the Office of Financial\nManagement should work together to identify underlying root causes, thereby ensuring payments are\nmade to Mellon Bank within 30 days after receipt of the Mellon Bank Government Purchase Card\nstatement.\n                                                      \xc2\xa0\n\n\xc2\xa0                                                19\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nResponse 11\n\nConcur.\n\n    \xe2\x80\xa2   Since early 2008, OFM pays the bank as the approved statements arrive.\n\n    \xe2\x80\xa2   The APC sends emails periodically throughout the month reminding cardholders of the due date\n        (Attachment L).\n\n    \xe2\x80\xa2   Since June 2008, cardholders receive their bank statements via email, which provides them 7 to\n        10 additional calendar days to process their statements.\n\n    \xe2\x80\xa2   As of March 2008, OFM receives approved statements via email rather than receiving paper\n        statements, which contributed to lost statements and a longer processing time.\n\nRecommend closure of this finding.\n\nRecommendation 12\n\nThe Office of Administrative Services should develop a formal Securities and Exchange Commission\nGovernment Purchase Card training course and set up a plan to rollout the training to all cardholders in a\ntimely manner.\n\nResponse 12\n\nConcur: The APC developed formal training and conducted the first class on August 6, 2008 to new\ncardholders. To ensure adequate time for existing cardholders to attend classes the APC plans to conduct\n5 classes between August 2008 and March 2009. The APC will offer training quarterly thereafter\n(Attachment M).\n\nRecommend closure of this finding.\n\nRecommendation 13\n\nThe Office of Administrative Services Agency Program Coordinator should update the email distribution\nlist to ensure that Government Purchase Card email messages are sent to all cardholders.\n\nResponse 13\n\nConcur. The GPC distribution list is up-to-date and will be maintained (Attachment N).\n\nRecommend closure of this finding.\n\n\nRecommendation 14\n\nThe Office of Administrative Services should instruct the Agency Program Coordinator and Approving\nOfficials to require completion of Government Purchase Card training and a signed Letter of Delegation\nbefore the Government Purchase Card is issued to the cardholder.\n\n                                                      \xc2\xa0\n\n\xc2\xa0                                                20\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\nResponse 14\n\nConcur.\n\n    \xe2\x80\xa2   The OAS is drafting a new regulation to replace SECR 10-6 with an estimated release date of\n        March 2009. The regulation will address the requirement to complete GPC training and to return\n        a signed memorandum of Acknowledgement and Acceptance before issuing a GPC.\n\n    \xe2\x80\xa2   The APC will revise AO delegation letters to stipulate that AO\xe2\x80\x99s must ensure that CHs have\n        current certificates of training prior to approving a GPC statement.\n\nRecommendation 15\n\nThe Office of Administrative Services should develop procedures to review and ensure that cardholder\nlimits agree to the Letter of Delegation and the Government Purchase Card provider on a regular basis.\n\nResponse 15\n\nConcur. On a quarterly basis, the APC will verify cardholder limits against delegation letters. The APC\ncan also access spending limits real-time via the internet and may receive reports upon request from the\nbank.\nRecommend closure of this finding.\n\nRecommendation 16\n\nThe Office of Administrative Services should revise the SECR 10-6, Smartpay Purchasing Card\nProgram, and require supervisors or the Approving Official to notify the Agency Program Coordinator\nthat a cardholder is leaving the Securities and Exchange Commission. The Agency Program Coordinator\nshould immediately suspend the cardholder's Government Purchase Card.\n\nResponse 16\n\nConcur. The OAS will incorporate this recommendation into the new SECR 10-6 with an estimated\nrelease date of March 2009.\n\n\nRecommendation 17\n\nThe Office of Administrative Services should develop procedures to ensure that the Agency Program\nCoordinator does not have direct access to a Government Purchase Card.\n\nResponse 17\n\nConcur. The OAS will incorporate this recommendation into the new SECR 10-6 with an estimated\nrelease date of March 2009. The card issued to the current APC was cancelled in February 2008 at the\ndirection of the head of the contracting activity.\n\n\n\n\n                                                     \xc2\xa0\n\n\xc2\xa0                                               21\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n                                                                                 Appendix III\n\n                  Office of Inspector General\n              Response to Management Comments\xc2\xa0\n\nThe Office of Administrative Services (OAS) concurred with all 17 findings and\nrecommendations and they indicated that several recommendations are already being\nimplemented. For 9 of the 17 findings, OAS provided the Office of Inspector General (OIG)\nwith supporting documentation and requested the recommendations be closed. As part of our\naudit follow-up process we will conduct a detailed review of the supporting documentation OAS\nhas provided OIG and based on our confirmation that the corrective action satisfactorily\naddresses the report\xe2\x80\x99s findings and recommendations, we will close the recommendations\naccordingly.\n\n\n\n\n                                               \xc2\xa0\n\n\xc2\xa0                                         22\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n                             Audit Request and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to request an audit in\nthe future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Ideas)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. # 202-551-6061\nFax # 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n       Hotline\n       To report fraud, waste, abuse, and mismanagement at SEC, contact the\n       Office of Inspector General at:\n\n       Phone: 877.442.0854\n\n       Web-Based Hotline Complaint Form: www.reportlineweb.com/sec_oig\n\n\n\n\n                                                   \xc2\xa0\n\n\xc2\xa0\n\xc2\xa0\n\n\xc2\xa0\n\x0c"